1. Field
Embodiments of the present invention generally relate to computer networking. In particular, embodiments of the present invention relate to achieving security and/or scalability in networking systems.
2. Description of the Related Art
Security threats have evolved dramatically over the last 10 years, moving from network-level, connection-oriented attacks to application-level, agent-based attacks. Conventional networking devices (firewalls) can deal with network-level packet processing; for example, conventional firewalls can stop packets that do not come from a valid source, and VPN gateways can encrypt packets on the fly, making it safe for them to traverse the Internet. But today's critical network threats, like malware, which includes spyware, viruses and worms, are embedded in the application-level contents of packet streams. Enormous processing power is needed to detect and stop these application-layer threats by extracting the content from multiple packets, reconstructing the original content, and scanning it for the telltale signs of attacks or for inappropriate content.
To address these security challenges, modern firewalls must offer application-level content processing in real time—especially for real-time applications (like Web browsing) at today's (and tomorrow's) increasing network speeds.
In a firewall, processing of network traffic is determined by a set of specific rules which collectively form a firewall policy. The firewall policy dictates how the firewall should handle specific applications network traffic such as web, email or telnet. Exemplary rules include filtering of banned words, blocking specific URLs, blocking transmission of specific file types, anti-malware scans, blocking of spam, etc. Each firewall policy generally has an associated firewall configuration profile, which configures the firewall to process the network content. The firewall policy is usually created by the network administrator and is based on the information security policy of the respective organization.
A firewall is typically implemented as a hardware/software appliance having a number of physical networking interfaces for the incoming and outgoing network traffic. Network traffic enters one of these interfaces and, after filtering and other appropriate processing, is routed to a remote host typically attached to a different physical interface. In some circumstances, firewalls are configured to also have logical interfaces, such as Virtual Local Area Network (VLAN) or Point To Point Protocol (PPP) interfaces. Such logical interfaces are purely software-implemented and do not map directly to a physical interface. For example, in VLAN configuration, PCs, servers and other network devices communicate as if they were on the same physical LAN segment, even though they may not be. The networking entities in VLAN configuration may be scattered across multiple physical networks, but to the firewall they appear as if they were all connected through a single (logical) network interface.
Large networks having multiple diverse computer systems can be subdivided into two or more disjoint virtual networks, called “virtual domains”. Each such virtual domain has its own routing, network administration, assess privileges as well as network security policies and configurations. Virtual domains can be used, for example, by separate organizations to share the same firewall/routing hardware, the networking interfaces of which can be segregated into disjoint routing domains, which may be administered by different users. Traffic originating from one such virtual domains can only be routed within the same virtual domain.
Unfortunately, the existing firewall systems are deficient in their ability to handle disjoint routing and configuration domains in a scalable and efficient manner. Therefore, what is needed is a scalable firewall system with an ability to manage virtual networking domains in an efficient manner.